Samba Logon Bug

July 15, 2023

The Samba logon bug caused by outdated cryptography. Samba, the open source network server software, contains a vulnerability that allows attackers to circumvent authentication and execute scripts on the server. This flaw arises due to outdated cryptography in Samba’s implementation of the Netlogon Remote Protocol.

This Samba logon bug vulnerability was addressed in its several versions, such as 4.4.10 and 4.6.4; however, it remains unpatched on older servers which must be manually upgraded in order to restore protection.

DES hashes

The Samba logon bug is caused by outdated cryptography, specifically DES hashes. This issue has existed since Samba version 2.2.3 and was eventually resolved in Samba 3.0.5.

DES is an encryption algorithm that utilizes a compression permutation technique, making it much less vulnerable to brute force attacks. Furthermore, this reduces the amount of data that must be decrypted, so one DES key can decrypt multiple passwords simultaneously.

A DES hash is composed of two 32-bit plaintext areas, Left Plain Text (LPT) and Right Plain Text (RPT). The LPT is encrypted using the DES key; thereafter, the RPT is also encrypted using both the DES key plus an additional 16-bit salt. Ultimately, this 76-bit value can be encoded into 13 printable ASCII characters for printing purposes.

For years, this method of password security on UNIX systems has been the go-to method for SMB users. The DES hash algorithm is supported by most clients of Samba in all versions.

One way to implement DES in Samba is the smbpasswd file included with the package. This contains an ASCII layout containing MS Windows LanMan and NT-encrypted passwords, as well as some account information.

Another way to use DES is with the pdbedit utility. This tool enables Samba to access a backend POSIX user account created or modified by a Windows NT4 domain account manager without relying on interface scripts required by Samba for proper handling of user, group and machine accounts.

Furthermore, the pdbedit tool does not rely on the operating system to create a user account; this task falls solely within the purview of the system administrator.

Finally, the pdbedit utility does not permit user, group or machine accounts to be resolved to a POSIX account UID by using an LDAP directory – this restriction has been designed with purpose.

The smbpasswd and pdbedit tools provide a backend for storing user, group and machine account information. Both have been created to supplement UNIX user and machine account data that is stored in the UNIX/Linux system accounts database.

MD5 hashes

The Message-Digest algorithm 5 (MD5) is a widely-used cryptographic hash function used in various security applications, such as digital signatures and authentication. Created in 1991 by US cryptographer Ronald Rivest, MD5 replaced the older MD4 algorithm.

Padding transforms a variable-length message into an output of 128 bits, using the technique known as padding. The input message is broken up into chunks of 512-bit blocks and each chunk is padded with some zeros until divisible by 512.

After this, the original message is compared to its hash value to ensure it remains unchanged. This process produces a bit string with several useful properties such as a checksum and an unaltered sequence of characters.

Although this function of message verification is useful, it has a flaw: an attacker could easily craft two messages with identical MD5 hashes due to a collision attack in the algorithm.

Most applications do not encounter this issue. However, password hashing poses a serious security risk as hackers could potentially attempt billions of combinations to guess the correct user passwords.

Thankfully, the Samba project has taken steps to prevent this from occurring again. In November 2022, they introduced a new version of their Kerberos protocol and also fixed an internal security flaw in Samba code that enabled attackers to spoof network data packets.

However, even after this update, malicious attackers with access to a Windows network can still exploit the Samba logon bug and compromise data sent between clients and servers on that same network. This is because Samba’s network authentication relies on an outdated style of cryptographic integrity protection based on MD5 hash function data encryption.

If your website or any web framework uses this hashing scheme, or stores and protects passwords, it’s time to upgrade. You can do this by changing the CMS source code to use a more modern hashing scheme such as SHA-2.

SHA-256 hashes

SHA-256 is one of the world’s most widely utilized hashing algorithms. Introduced in 2001, it can be found in numerous applications such as cryptography, e-mail and encryption protocols. Furthermore, SHA-256 forms part of Proof of Work networks like Bitcoin’s.

Similar to other hash functions, SHA-256 transforms any input into a fixed-length string. No matter if it’s just one word, an entire sentence, or even the entirety of a book, SHA-256 produces an output that measures 256 bits long (32 bytes).

As its name implies, SHA-256 has been officially defined in the FIPS 180-4 standard and rigorously tested. Additionally, independent companies have independently assessed its security to confirm it meets requirements for use in sensitive applications.

Another advantage of SHA-256 is its speed. It can perform a hash of an enormous file thousands of times per second, offering unparalleled efficiency when performing reads and writes. This results in significant performance gains for users.

SHA-256 stands apart from DES and MD5, as it is a one-way function that cannot be reverse engineered from its output. This makes SHA-256 an incredibly secure and efficient algorithm.

Due to this, it’s widely used in e-mails, password hashes and cryptocurrencies like Bitcoin. Additionally, it plays an essential role in the security of websites and servers that require SSL authentication or encryption.

The SHA-256 hash is also used in numerous e-commerce sites, such as Amazon, Facebook and LinkedIn. This makes it essential for safeguarding these platforms against malicious hackers who could steal user data or even breach into their business accounts.

In conclusion, SHA-256 is an extremely secure and efficient hashing algorithm that can be utilized to fix the Samba logon bug caused by outdated cryptography. It makes a great choice for network administrators, since it can be implemented into any version of Samba with ease.

To upgrade to a version of Samba that utilizes SHA-256 cryptography, simply install the latest package on your Linux system. This update will automatically install GnuTLS, providing Samba with an in-tree implementation of SHA-256 cryptography that replaces any in-tree DES cryptography within Samba. Not only will this improve performance but it may help prevent copying speed issues when using SMB3 encryption with GnuTLS as well.

SHA-384 hashes

This issue has been resolved with the latest release of Samba 4.17.5, which introduces MD5 hashes as a default reject for clients and servers alike. As such, any cryptographic components within SMB networking protocols that utilize MD5 algorithms will be rejected both at the server and client level.

This change will protect your network from attacks by ensuring that all servers don’t use outdated cryptography. Doing so makes it more difficult for malicious attackers to exploit vulnerabilities such as CVE-2022-38023 in your infrastructure.

One of the primary causes of this issue is an unfixed security flaw in how Samba handles SHA-384 hashes. SHA-384 is a vital cryptographic hash function used for digital signatures, authentication, and file integrity verification.

SHA-384 hashing is a cryptographic algorithm used to verify the 384 bit digest of an input (or’message’). As part of the SHA-2 family of hash functions, it has long been considered secure and dependable for creating hashes.

A free online SHA-384 hash generator is available to generate random hashes for you. Simply click the button to get started.

Smbstatus can be rendered in JSON format, displaying information such as sessions, connections, open files and byte-range locks more clearly and helpfully. This is particularly helpful when running it on a Samba file server since it provides an expansive overview of your network’s activity.

Samba 4.13 discontinues support for the legacy domain controller mode, allowing Samba to utilize Heimdal 8.0’s Kerberos implementation with an enhanced set of features and functionalities. Notably, this version introduces FAST (Faster and Stable Transport), which encrypts ticket requests and replies encrypted with weak passwords inside a stronger wrapper built with a strong password.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us